Advanced Policy Firewall (APF) on multiple network interfaces

I recently had to firewall multiple network interfaces (bound to different addresses) using Advanced Policy Firewall (APF). This was for virtual machines created at Rackspace with public facing access to their internal network as well as their external network. I.e., I couldn’t trust machines belonging to other customers on the local network.

APF made this really easy by enabling these options in /etc/apf-firewall/conf.apf:

# Virtual Network Sub-System (VNET) creates independent policy rule set for
# each IP on a system to /etc/apf-firewall/vnet/IP.rules. These rule files can be
# configured with conf.apf variables for unique but convenient firewall
# policies or custom iptables entries for even greater flexibility.
SET_VNET="1"


# This feature firewalls any additional interfaces on the server as untrusted
# through the VNET sub-system. Excluded are interfaces that have already been
# defined by IFACE_* variables. This feature is ideal for systems running
# private interfaces where not all hosts on the private network are trusted or
# are otherwise exposed to "open" networks through this private interface
# (i.e: the Internet, network accessible storage LAN, corporate WAN, etc..)
SET_ADDIFACE="1"

Once configured, reload APF. You can check that the rules are in place with:


iptables -L -n | grep my.first.ip.address

and


iptables -L -n | grep my.second.ip.address


Comments are closed.